filtering system calls with auid -1

ocakan ocakan at gmail.com
Tue Nov 17 09:38:17 UTC 2015 

Hi!

My aim is to audit only commands executed by root (interactively) and avc
denied messages (selinux)

Some details about my audit-test-system and current audit configuration.
### MY CONFIGURATION:
uname -a:
Linux centos6 2.6.32-573.3.1.el6.x86_64 #1 SMP Thu Aug 13 22:55:16 UTC 2015
x86_64 x86_64 x86_64 GNU/Linux

### cat /proc/cmdline:
ro root=UUID=63f8768a-2eee-4472-8ebc-43372292a93b rd_NO_LUKS
LANG=en_US.UTF-8  KEYBOARDTYPE=pc KEYTABLE=de-latin1-nodeadkeys rd_NO_MD
SYSFONT=latarcyrheb-sun16  rd_NO_LVM rd_NO_DM rhgb audit=1

### rpm -q audit:
audit-2.3.7-5.el6.x86_64

### auditctl -l:
-a never,exit -S all -F auid!=-1
-a never,exit -S all -F auid!=0 -F auid<500
-a always,exit -F arch=x86_64 -S execve -F euid=0 -F key=root-commands
-a always,exit -F arch=i386 -S execve -F euid=0 -F key=root-commands
-a always,exclude -F msgtype=CWD

### auditctl -s:
AUDIT_STATUS: enabled=1 flag=1 pid=4232 rate_limit=0 backlog_limit=8192
lost=0 backlog=0

### /etc/init.d/auditd status:
auditd (pid  4232) is running...

### grep -Hrn loginuid /etc/pam.d/:
/etc/pam.d/login:9:session    required     pam_loginuid.so
/etc/pam.d/sshd:9:session    required     pam_loginuid.so
/etc/pam.d/remote:9:session    required     pam_loginuid.so
/etc/pam.d/ssh-keycat:4:session    required     pam_loginuid.so

-----

MY QUESTION:
With the above listed configuration I still get audit.log entries with
auid=-1 including cron and anacron entries.

EXAMPLE AUDIT.LOG SNIPPET:
type=USER_ACCT msg=audit(1447748821.214:1369): user pid=5863 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting
acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron
res=success'
type=CRED_ACQ msg=audit(1447748821.214:1370): user pid=5863 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred
acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron
res=success'
type=USER_START msg=audit(1447748821.215:1371): user pid=5863 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open
acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron
res=success'
type=SYSCALL msg=audit(1447748821.215:1372): arch=c000003e syscall=59
success=yes exit=0 a0=7f24d92992d6 a1=7ffdc67f7a90 a2=7f24d9299340 a3=8
items=2 ppid=5863 pid=5865 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh"
exe="/bin/bash" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
key="root-commands"
type=EXECVE msg=audit(1447748821.215:1372): argc=3 a0="/bin/sh" a1="-c"
a2=636174202F6574632F736861646F7720263E2F6465762F6E756C6C
type=PATH msg=audit(1447748821.215:1372): item=0 name="/bin/sh"
inode=1045010 dev=08:02 mode=0100755 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:shell_exec_t:s0 nametype=NORMAL
type=PATH msg=audit(1447748821.215:1372): item=1 name=(null) inode=1044483
dev=08:02 mode=0100755 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL
type=SYSCALL msg=audit(1447748821.216:1373): arch=c000003e syscall=59
success=yes exit=0 a0=e388c0 a1=e38e20 a2=e37b00 a3=7ffc3c6a4a20 items=2
ppid=5865 pid=5866 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cat" exe="/bin/cat"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
key="root-commands"
type=EXECVE msg=audit(1447748821.216:1373): argc=2 a0="cat" a1="/etc/shadow"
type=PATH msg=audit(1447748821.216:1373): item=0 name="/bin/cat"
inode=1044629 dev=08:02 mode=0100755 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:bin_t:s0 nametype=NORMAL
type=PATH msg=audit(1447748821.216:1373): item=1 name=(null) inode=1044483
dev=08:02 mode=0100755 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL
type=CRED_DISP msg=audit(1447748821.217:1374): user pid=5863 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred
acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron
res=success'
type=USER_END msg=audit(1447748821.217:1375): user pid=5863 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close
acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron
res=success'

What am I missing or doing wrong? I also tried working with pam_tty_audit
and aureport --tty but that is too detailed as every keypress gets logged.

Cheers,
Orhan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20151117/461b885b/attachment.htm>

More information about the Linux-audit mailing list